A packer is a software tool that compresses code but in such a way that it can still be executed (i.e. run – known as runtime compression). It is used usually to reduce the size of software for storage and also to deter reverse engineering. Packers usually have their own unique way of operating and leave their unique signature on code they have compressed.

Some packers are almost exclusively used for creating malware, so security apps look for code that has the signature associated with these packers and gives them extra scrutiny. Packers obfuscate code so if one wanted to disguise code that has already been flagged as malicious by security apps, using a new packer to pack it could allow the code to go undetected by the apps – but if a standard off the shelf packer is used, it will receive extra scrutiny as detailed above.

For zero day attacks, malicious actors must either create new code or attacks that never existed before, or obfuscate existing code by using a new packer. (Effitas is able to create our own packing tools with signatures never seen before – we use these to replicate zero day attacks and for APT testing).